application programming interface
Generic Security Services Application Programming Interface (GSSAPI) is an IETF standard API that permits applications to access security services (such as Microsoft® Active Directory®). The Kerberos™ protocol is a type of GSSAPI.
Hypertext Transfer Protocol
Hypertext Transfer Protocol over Secure Sockets Layer
HTTP Negotiate
HTTP Negotiate is an authentication extension that provides single sign-on for web applications that support Integrated Windows® authentication. HTTP Negotiate was developed by Microsoft.
Internet Engineering Task Force
Internet Information Services
A Key Distribution Center (KDC) is a server that performs the trusted arbitrator role for the Kerberos™ protocol. The KDC issues service tickets and maintains a list of tickets that it issued. Domain controllers are KDCs.
Kerberos protocol
The Kerberos™ protocol is a Microsoft® Active Directory® authentication protocol that permits a trusted third-party application to authenticate clients by exchanging encrypted service tickets with Microsoft Active Directory.
Lightweight Directory Access Protocol
S4U2proxy extension
The S4U2proxy (Service-for-User-to-Proxy) extension completes the constrained delegation process. It permits a Kerberos™ enabled service to retrieve the service ticket of another Kerberos enabled service from the KDC on behalf of a client.
service ticket
A service ticket is a Kerberos™ key that a client of a Kerberos enabled service can use to open a trusted session with the Kerberos enabled service. The client of the Kerberos enabled service retrieves the service ticket for the Kerberos enabled service from the KDC.
A service principal name (SPN) is an attribute of a user or group in Microsoft® Active Directory® that supports mutual authentication between a client of a Kerberos™ enabled service and the Kerberos enabled service. A Microsoft Active Directory account can have one or more SPNs.
Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) is a GSSAPI pseudomechanism that negotiates one or more real mechanisms. A client can use SPNEGO when it must authenticate with a remote service but neither the client nor the service know the authentication protocols that the other supports.
Secure Sockets Layer
The Ticket Granting Service (TGS) is a KDC service that grants service tickets for Kerberos™ enabled services on your organization's network.
The Ticket Granting Ticket (TGT) is a service ticket that a client of a Kerberos™ enabled service sends to the TGS to request the service ticket for the Kerberos enabled service.
Transport Layer Security
Next topic: Provide feedback
Previous topic: Related resources

Was this information helpful? Send us your comments.